In the absence of figures from the practitioners, experts tend to fall back on surveys of victims, often compiled by firms that sell security software. These have a whiff of self interest about them: they are the kind of studies that get press released but not peer reviewed.

The security industry sometimes plays “fast and loose” with the numbers, because it has an interest in “telling people that the sky is falling”.